The global telephone network is relied upon by billions every day.
Central to its operation is the Signaling System 7 (SS7) protocol, which
is used for setting up calls, managing mobility, and facilitating many
other network services. This protocol was originally built on the
assumption that only a small number of trusted parties would be able to
directly communicate with its core infrastructure. As a result, SS7
\emph{ --- as a feature --- } allows all parties with core access to
redirect and intercept calls for any subscriber anywhere in the world.
Unfortunately, increased interconnectivity with the SS7 network has led
to a growing number of illicit call redirection attacks. We address
such attacks with Sonar, a system that detects the presence of SS7
redirection attacks by securely measuring call audio round-trip times
between telephony devices. This approach works because redirection
attacks force calls to travel longer physical distances than usual,
thereby creating longer end-to-end delay. We design and implement a
distance bounding-inspired protocol that allows us to securely
characterize the round-trip time between the two endpoints. We then use
custom hardware deployed in 10 locations across the United States and a
redirection testbed to characterize how distance affects round trip time
in phone networks. We develop a model using this testbed and show Sonar
is able to detect 70.9\% of redirected calls between call endpoints of
varying attacker proximity (300--7100 miles) with low false positive
rates (0.3\%). Finally, we ethically perform actual SS7 redirection
attacks on our own devices with the help of an industry partner to
demonstrate that Sonar detects 100\% of such redirections in a real
network ({\em with no false positives}). As such, we demonstrate that
telephone users can reliably detect SS7 redirection attacks and protect
the integrity of their calls.